Home » Software Security Blog » Step by Step Process: Signing and Timestamping Java JAR File
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Steps to Sign and Timestamp a Java Jar File

Here’s the step-by-step guide to Sign and Timestamp a Jar File.

Step 1: After locating the certificate in your browser, export it with the private key while including all the certificates in the chain and exporting extended properties. A password will be required and .PFX will be the file format.

Step 2: Be sure to install and use the latest version of JDK.

Step 3: Run the command below once you create a .bat file:

keytool.exe -importkeystore -srckeystore ExportedCertificateFileExample.pfx -srcstoretype pkcs12 -destkeystore KeystoreFileExample -deststoretype JKS

This will create KeystoreFileExample

Step 4: Run this command to get the alias value assigned by Comodo:

keytool.exe -list -storepass YourPassword -keystore KeystoreFileExample -v

Note: Your Password is the same which you entered in Step-3.

Step 5: For signing JAR use this syntax:

jarsigner.exe -keypass KeyPasswordExample -keystore KeystoreFileExample -storepass YourStorePassword -tsa https://timestamp.comodoca.com/rfc3161 -digestalg SHA-1 JarNameFile.jar YourAliasStringPassword will be the same as used in Step-3.

Note:

  • Store password and key can be different.
  • -digestalg can be the algorithm you choose like, SHA-1 or SHA-256

Step 6: If you want, verify the signed jar using this command:

jarsigner.exe -verify -verbose -certs JarNameFile.jar

One thing to note is that timestamps should comply with the Time-Stamping Protocol (RFC3161) if you want to Timestamp with Jarsigner. So, it’s better to use a timestamp URL https://support.comodo.com/index.php?/Knowledgebase/Article/View/68/0/time-stamping-server with Jarsigner.